Methods and apparatus providing automatic signature generation and enforcement

US 8,806,650 B2
Filed: 07/23/2013
Issued: 08/12/2014
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of providing computer security on a computer system, the method comprising:

inserting at least one notifying identifier in at least one computer system, the at least one notifying identifier providing execution information associated with the at least one computer system;

receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data flows on the at least one computer system;

generating a signature by matching the signature against at least a portion of a data payload associated with at least one attack;

identifying a common sub-string from the plurality of data payloads on the at least one computer system; and

refining the signature based on the common sub-string identified from the plurality of data payloads on the at least one computer system, the refined signature utilized to prevent further damage caused to the at least one computer system by the at least one attack.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Citations

19 Claims

1. A method of providing computer security on a computer system, the method comprising:
- inserting at least one notifying identifier in at least one computer system, the at least one notifying identifier providing execution information associated with the at least one computer system;
  
  receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data flows on the at least one computer system;
  
  generating a signature by matching the signature against at least a portion of a data payload associated with at least one attack;
  
  identifying a common sub-string from the plurality of data payloads on the at least one computer system; and
  
  refining the signature based on the common sub-string identified from the plurality of data payloads on the at least one computer system, the refined signature utilized to prevent further damage caused to the at least one computer system by the at least one attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein inserting at least one notifying identifier in the at least one computer system, the at least one notifying identifier providing execution information associated with the at least one computer system comprises:
    - utilizing the at least one notifying identifier to filter data processing on the at least one computer system.
  - 3. The method of claim 1 wherein inserting at least one notifying identifier in the at least one computer system, the at least one notifying identifier providing execution information associated with the computer system comprises:
    - controlling a behavior of at least one application on the at least one computer system by the insertion of the at least one notifying identifier in the at least one computer system.
  - 4. The method of claim 1 wherein receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow on the at least one computer system comprises:
    - receiving notification that at least one attack has occurred on the at least one computer system; and
      
      receiving execution information associated with the at least one attack that occurred on the at least one computer system;
      
      mapping the execution information associated with the at least one attack to at least one data entry point on the at least one computer system; and
      
      identifying that the at least one attack is specific to that at least one data entry point on the at least one computer system.
  - 5. The method of claim 1 wherein generating the signature by matching the signature against at least a portion of a data payload associated with the at least one attack comprises:
    - generating the signature by matching the signature exactly against the at least one attack.
  - 6. The method of claim 1 wherein refining the signature comprises:
    - receiving the plurality of data payloads from at least one computer system to create an optimal signature that is operational on the at least one computer system.
  - 7. The method of claim 6 wherein receiving the plurality of data payloads from at least one computer system to create an optimal signature that is operational on the at least one computer system comprises:
    - identifying a sequence of at least one sub-string from the plurality of data payloads on the at least one computer system.
  - 8. The method of claim 6 wherein receiving the plurality of data payloads from at least one computer system to create an optimal signature that is operational on the at least one computer system comprises:
    - identifying a collection of sub-strings from some of the plurality of data payloads on the at least one computer system;
9. The method of claim 1 comprising:
- receiving a data payload on the computer system;
  
  comparing the data payload to the refined signature; and
  
  denying the data payload access to the computer system based on the comparison of the data payload to the refined signature.

10. A computerized device comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with a signature generating application that when executed on the processor is capable of providing computer security on the computerized device by performing the operations of;
  
  inserting at least one notifying identifier in at least one computer system, the at least one notifying identifier providing execution information associated with the at least one computer system;
  
  receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data flows on the at least one computer system;
  
  generating a signature by matching the signature against at least a portion of a data payload associated with at least one attack;
  
  identifying a common sub-string from the plurality of data payloads on the at least one computer system; and
  
  refining the signature based on the common sub-string identified from the plurality of data payloads on the at least one computer system, the refined signature utilized to prevent further damage caused to the at least one computer system by the at least one attack.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computerized device of claim 10 wherein when the computerized device performs the operation of inserting at least one notifying identifier in the at least one computer system, the at least one notifying identifier providing execution information associated with the at least one computer system, the computerized device is capable of performing the operation of:
    - utilizing the at least one notifying identifier to filter data processing on the at least one computer system.
  - 12. The computerized device of claim 10 wherein when the computerized device performs the operation of refining the signature, the computerized device is capable of performing the operation of:
    - receiving the plurality of data payloads from the at least one computer system to create an optimal signature that is operational on the at least one computer system.
  - 13. The computerized device of claim 12 wherein when the computerized device performs the operation of receiving the plurality of data payloads from at least one computer system to create an optimal signature that is operational on the at least one computer system, the computerized device is capable of performing the operations of:
    - identifying a collection of sub-strings from some of the plurality of data payloads on the at least one computer system;
      
      assigning a probability to each of the sub-strings within the collection of sub-strings; and
      
      associating the probability to a likelihood that a data payload associated with each of the sub-strings is one of the group consisting of a good data payload and a bad data payload.
  - 14. The computerized device of claim 12 wherein when the computerized device performs the operation of receiving the plurality of data payloads from at least one computer system to create an optimal signature that is operational on the at least one computer system, the computerized device is capable of performing the operation of:
    - identifying an sequence of at least one sub-string from the plurality of data payloads on the at least one computer system.

15. A non-transitory computer readable medium encoded with computer programming logic that when executed on a process in a computerized device provides computer security, the medium comprising:
- instructions for inserting at least one notifying identifier in at least one computer system, the at least one notifying identifier providing execution information associated with the at least one computer system;
  
  instructions for receiving execution information from the at least one notifying identifier, the execution information identifying details associated with a traffic flow comprising a plurality of data flows on the at least one computer system;
  
  instructions for generating a signature by matching the signature against at least a portion of a data payload associated with at least one attack;
  
  instructions for identifying a common sub-string from the plurality of data payloads on the at least one computer system; and
  
  instructions for refining the signature based on a the common sub-string identified from the plurality of data payloads on the at least one computer system, the refined signature utilized to prevent further damage caused to the at least one computer system by the at least one attack.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the instructions for inserting at least one notifying identifier in the at least one computer system, the at least one notifying identifier providing execution information associated with the at least one computer system comprise instructions for:
    - utilizing the at least one notifying identifier to filter data processing on the at least one computer system.
  - 17. The non-transitory computer-readable medium of claim 15 wherein when the instructions for refining the signature comprise instructions for:
    - receiving the plurality of data payloads from the at least one computer system to create an optimal signature that is operational on the at least one computer system.
  - 18. The non-transitory computer-readable medium of claim 17 wherein instructions for receiving the plurality of data payloads from at least one computer system to create an optimal signature that is operational on the at least one computer system comprise instructions for:
    - identifying a collection of sub-strings from some of the plurality of data payloads on the at least one computer system;
      
      assigning a probability to each of the sub-strings within the collection of sub-strings; and
      
      associating the probability to a likelihood that a data payload associated with each of the sub-strings is one of the group consisting of a good data payload and a bad data payload.
  - 19. The non-transitory computer-readable medium of claim 15, the medium further comprising:
    - instructions for receiving a data payload on the at least one computer system;
      
      instructions for comparing the data payload to the refined signature; and
      
      instructions for denying the data payload access to the at least one computer system based on the comparison of the data payload to the refined signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kraemer, Jeffrey A., Zawadowskiy, Andrew, Gladstone, Philip J. S.
Primary Examiner(s)
LEE, JASON T

Application Number

US13/949,173
Publication Number

US 20130312104A1
Time in Patent Office

385 Days
Field of Search

726/13, 726/14, 726/25, 713/160, 709/224
US Class Current

726/25
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Methods and apparatus providing automatic signature generation and enforcement

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing automatic signature generation and enforcement

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links